import { openssl } from 'crypto';
import zlib from 'zlib';
// 27 years old
const curl = require('curl');
// 20B+ installs
// 1 maintainer
dependencies: {
  "log4j": "^2.14.0",
  "core-js": "^3.0.0"
}
$ npm install
added 847 packages
// 91% outdated
FROM nginx:latest
RUN apt-get update
# 33% of web
sqlite3_open(db, &conn);
// 1 trillion DBs
// 3 maintainers
import ffmpeg
# YouTube, VLC
# volunteers only
transitive_deps: 847
vulnerabilities: 95%
// invisible risk
require 'imagemagick'
# 35 years old
# 4-7 volunteers
bus_factor = 1
downloads = "20B+"
// cURL risk
gem 'rails'
gem 'nokogiri'
# libxml2 dep
last_update: "2+ yrs"
status: "zombie"
// 49% of code
{ }
( )
[ ]
=>
&&
;
npm 4.5T requests
pip 530B requests
go mod download
maven central
cargo install
Interactive Research Report

The Open Source Conundrum

The risk in the global software supply chain

Assess your open source risk

The Scale of Dependency

The global digital economy rests upon open source software—yet its maintenance infrastructure remains alarmingly fragile

0%
of commercial codebases contain open source
0
npm package requests in 2024
0%
of maintainers are unpaid hobbyists
0%
of codebases have outdated components

The "Zombie Code" Apocalypse

Software that remains operationally active despite being effectively dead in terms of development and security support

91%
Components 10+ Versions Behind
Systematic failure of patch management processes across commercial codebases
49%
No Activity in 2+ Years
Nearly half of codebases use components with no development activity in over two years
2.5+ yrs
Mean Vulnerability Age
Security debt is compounding, not clearing—known vulnerabilities remain unpatched for years
74%
High-Risk Exposure
Significant increase from 48% in 2022, indicating worsening security posture
95%
Vulnerabilities in Transitive Dependencies
The vast majority of security risks hide in dependencies of dependencies—invisible to developers
89.5%
Open Source Ecosystem Dormant
Only 10.5% of 7 million available components are actively used—the rest is a graveyard of latent risk

The Human Infrastructure Crisis

Behind trillions of automated requests lies a remarkably small and fragile human infrastructure

60%
Unpaid Hobbyists
The majority of maintainers receive no compensation for critical infrastructure work. This statistic has remained unchanged for years.
60%
Considered Quitting
High burnout risk across the ecosystem. 43% report their work adds stress, 48% feel it's "thankless work."
1
"Bus Factor" for Critical Projects
cURL runs on 20+ billion devices but is maintained primarily by one person. One absence could stall the project.
52%
More Likely to Fix Security
Paid maintainers are significantly more likely to respond to security issues. 20+ hrs/week vs fewer than 10 for unpaid.

Critical Infrastructure Status

The health and risk profile of the open source projects that power the modern internet

Technology Age Usage Scale Maintainer Status Risk Level Key Vulnerabilities
NGINX
21 years 33% of all websites Corporate (F5)
F5 breach 2024; source code exfiltration
OpenSSL
27 years 87% of HTTPS websites Professional (14 FTE)
Heartbleed (2014); legacy code weight
cURL
29 years 20+ billion installations 1 Lead (Sponsored)
Bus factor of one; CVE-2023-38545
SQLite
25 years 1+ trillion databases Consortium Model
Closed contribution; fortress model
FFmpeg
24 years YouTube, VLC, browsers Volunteers + STF
CVE slop conflict; complexity barrier
Log4j
23 years 91% of Java applications Volunteer
Log4Shell (2021); transitive dependency
zlib
30 years Critical (all major OS) 2 Primary (Volunteer)
CVE-2023-45853; CVE-2022-37434
ImageMagick
35 years Web & graphic design 4-7 Volunteers
ImageTragick RCE; shell injection
NGINX
Corporate (F5)
Age 21 years
Usage 33% of all websites
Risk Level
F5 breach 2024; source code exfiltration
OpenSSL
Professional (14 FTE)
Age 27 years
Usage 87% of HTTPS websites
Risk Level
Heartbleed (2014); legacy code weight
cURL
1 Lead (Sponsored)
Age 29 years
Usage 20+ billion installations
Risk Level
Bus factor of one; CVE-2023-38545
SQLite
Consortium Model
Age 25 years
Usage 1+ trillion databases
Risk Level
Closed contribution; fortress model
FFmpeg
Volunteers + STF
Age 24 years
Usage YouTube, VLC, browsers
Risk Level
CVE slop conflict; complexity barrier
Log4j
Volunteer
Age 23 years
Usage 91% of Java apps
Risk Level
Log4Shell (2021); transitive dependency
zlib
2 Primary (Volunteer)
Age 30 years
Usage Critical (all major OS)
Risk Level
CVE-2023-45853; CVE-2022-37434
ImageMagick
4-7 Volunteers
Age 35 years
Usage Web & graphic design
Risk Level
ImageTragick RCE; shell injection

Anatomy of Failure

The systemic risks have manifested in catastrophic failures that shook the industry

Why Open Source is Failing

The crisis in open source maintenance is fundamentally a market failure—value is privatized while costs are socialized

The "Free Rider" Problem
Multi-billion dollar corporations build products dependent on open source libraries but provide no financial or technical support to the creators. They capture all the value while externalizing all the costs.
$0 contributed by most Fortune 500
The Donation Model is Broken
Donations follow hype, not criticality. Frontend frameworks attract sponsorship while invisible infrastructure like zlib or glibc receives nothing. Relying on GitHub Sponsors is like busking—unpredictable and unsustainable.
$400/month for core-js
"Resentment Debt" Compounds
Maintainers who feel exploited are more likely to abandon projects, act capriciously, or become susceptible to malicious offers of "help"—a vector weaponized in the XZ Utils attack.
48% feel work is "thankless"
Hobbyist Hours, Enterprise Demands
Unpaid hobbyists spend fewer than 10 hours/week on maintenance. Professional maintainers spend 20+ hours. Yet enterprises expect instant responses to security issues from people doing this in their spare time.
10 hrs vs 20+ hrs/week
Security is Proportional to Pay
Paid maintainers are 52% more likely to research and respond to security issues, and 51% more likely to improve secure development practices. Unpaid work means unprioritized security.
52% more security work when paid
No Path to Professionalization
60% of maintainers remain unpaid hobbyists—a statistic unchanged for years. The industry has failed to create career paths for the people responsible for digital infrastructure.
60% unpaid (unchanged)

Assess Your Open Source Risk

Answer these questions to gauge your organization's dependency on open source and exposure to supply chain risks

How many open source dependencies does your primary application use?
Include both direct and transitive (indirect) dependencies
Do you maintain a Software Bill of Materials (SBOM)?
An SBOM is an inventory of all software components in your application
How frequently do you update your dependencies?
Consider both security patches and version upgrades
Do you evaluate the health of open source projects before adoption?
Factors include maintainer activity, funding, security practices, and community size
Do you use automated security scanning in your CI/CD pipeline?
Tools like Dependabot, Snyk, or similar that detect vulnerable dependencies
Does your organization contribute back to open source projects you depend on?
Contributions can be code, funding, bug reports, or documentation
0
out of 18
Calculating...

Recommended Actions:

    The Path Forward

    Strategic approaches for navigating the open source sustainability crisis

    1
    Implement SBOM Practices
    Adopt Software Bill of Materials to gain visibility into your dependency graph. Use standards like CycloneDX or SPDX to automate inventory and enable rapid impact assessment during incidents.
    2
    Establish Curated Registries
    Create internal "Gold Master" registries containing only vetted, scanned, and approved packages. Quarantine new packages for analysis before release to internal development environments.
    3
    Fund Critical Dependencies
    Identify the open source projects most critical to your operations and contribute meaningfully—through direct funding, developer time, or enterprise support contracts via organizations like Tidelift.
    4
    Adopt Signed Provenance
    Implement cryptographic signing with tools like Sigstore to verify that binary artifacts match signed source code, preventing build-injection attacks like the XZ Utils backdoor.
    5
    Prepare for Regulation
    The EU Cyber Resilience Act and US SBOM mandates are shifting liability to commercial integrators. Proactively establish compliance frameworks to avoid regulatory risk.
    6
    Build Supply Chain Teams
    Establish dedicated Software Supply Chain departments responsible for dependency curation, security scanning, maintainer health monitoring, and vulnerability response coordination.

    Building Technical Debt into Your Roadmap

    How product and technology teams can make dependency management a first-class citizen in planning

    Technical debt from open source dependencies is no longer a background concern—it's a strategic risk that demands executive attention and dedicated roadmap allocation. Teams that treat supply chain health as an afterthought will face compounding security, compliance, and operational costs.

    Foundation
    Establish Dependency Visibility
    Before you can manage technical debt, you need to see it. Implement automated SBOM generation, dependency scanning, and maintainer health monitoring as the foundation for all roadmap decisions.
    SBOM automation Dependency dashboard Health scoring
    Quarterly
    Allocate 15-20% for Maintenance
    Reserve dedicated sprint capacity for dependency updates, security patches, and infrastructure modernization. This isn't "extra work"—it's the cost of using open source responsibly.
    Sprint allocation Update cycles
    Annual
    Strategic Dependency Decisions
    Annually evaluate whether to fund, fork, or replace critical dependencies. Budget for enterprise support contracts or direct maintainer funding where the risk justifies investment.
    Funding decisions Fork evaluation
    Cultural
    Shift Left on Dependencies
    Empower engineers to evaluate dependency health before adoption. Add maintainer activity, bus factor, and security posture to your library selection criteria—not just features and stars.
    Selection criteria Team training

    Ready to Manage Technical Risk Strategically?

    We partner with product and technology teams to build roadmaps that forecast open source risk, prioritize technical debt, and plan outcomes with confidence.

    Let's Talk